Re: Serious bug in "radius" dialup authentication software

Phillip R. Jaenke (prj@NS2.NLS.NET)
Sat, 21 Feb 1998 13:12:37 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Antonomasia: "resource starvation against passwd(1)"
Previous message: Phillip R. Jaenke: "Quick update on Radius bug"
Maybe in reply to: Phillip R. Jaenke: "Serious bug in "radius" dialup authentication software"
Next in thread: Phillip R. Jaenke: "Re: Serious bug in "radius" dialup authentication software"

>You're not telling us which radius server. Livingston 1.16 or 2.01?
>Merit? Cistron? etc (As a matter of fact I am sure Cistron is safe).

Since this is the 22nd email I've recieved on this, I decided to CC: to
bugtraq so everyone will PLEASE stop asking me this.

So far, tested servers are:
Livingston 1.16 to 2.01
RadiusNT v2.x
Merit

So far, the only one NOT vulnerable is Merit. Cistron is untested, so I've
got not idea whether or not it is. Best way to test is to telnet to a
terminal server, and login with a valid username, with 40 or more spaces
after it.

As to Cistron being safe; safe is really relative here. If somebody nasty
has your dialup numbers, then you might have to restart radius a lot.
Otherwise, there's really no security risk that I've found.

-prj

-Ed Kuchar (InterNIC Handle: EK113) [ekuchar@NLS.NET]
NetLink Services, Inc. 216.468.5100(Cleveland) - 330.940.2700(Akron)
sales@nls.net - http://www.nls.net - http://www.getinfo.net
Serving: Cleveland, Akron, Medina, & Geauga County

Next message: Antonomasia: "resource starvation against passwd(1)"
Previous message: Phillip R. Jaenke: "Quick update on Radius bug"
Maybe in reply to: Phillip R. Jaenke: "Serious bug in "radius" dialup authentication software"
Next in thread: Phillip R. Jaenke: "Re: Serious bug in "radius" dialup authentication software"